Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

firewall, sshguard and interpretting log files
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
erg_samowzbudnik
Apprentice
Apprentice


Joined: 09 Sep 2011
Posts: 211
Location: European sticks
PostPosted: Tue Mar 21, 2023 5:15 pm    Post subject: firewall, sshguard and interpretting log files Reply with quote
Hi.

I have network consisting of router (OpenWrt) filtering incoming traffic on all but few ports and forwarding it to Raspberry Pi running Gentoo.
On RPi I have sshd and sshguard running.
I should think traffic to ports that are restricted by firewall on the router shouldn't appear in logs on RPi but it does: I see attacks on ssh coming on various ports.
But when I fire up tcpdump on RPI and try to get through the firewall that traffic does not arrive to RPi.
What gives?
This sample of logs:
Code:
Mar 21 18:01:36 pie sshd[21335]: Received disconnect from 8.213.25.141 port 53910:11: Bye Bye [preauth]
Mar 21 18:01:36 pie sshd[21335]: Disconnected from authenticating user root 8.213.25.141 port 53910 [preauth]
Mar 21 18:01:36 pie sshguard[2291]: Attack from "8.213.25.141" on service SSH with danger 10.
Mar 21 18:01:36 pie sshguard[2291]: Attack from "8.213.25.141" on service SSH with danger 10


Do I read the second line here correctly and attack came in on port 53910?
What are those numbers after sshd[21355] and sshguard[2291]?

I use ssh keys, but noise in logs is most annoying.
Back to top
View user's profile Send private message
pingtoo
l33t
l33t


Joined: 10 Sep 2021
Posts: 926
Location: Richmond Hill, Canada
PostPosted: Tue Mar 21, 2023 5:40 pm    Post subject: Reply with quote
erg_samowzbudnik,

On you OpenWRT box, does it have "iptables" command? if it does please share output of
Code:
iptables -v -L
Please review the output before post and mask out any sensitive data.

erg_samowzbudnik wrote:
when I fire up tcpdump on RPI and try to get through the firewall that traffic does not arrive to RPi.
My guess, could it possible you used a wrong device for your tcpdump?

So do you think your sshguard is working? as in the attack messages only show very few times. (because sshguard block it) Or sshguard is not work? as in you continue seeing the attack messages?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy